search cancel

Basic authentication and test authentication from ProxySG Management Console may fail for users in the foreign domain


Article ID: 168268


Updated On:


ProxySG Software - SGOS


The previous implementation for test/basic authentication was going to a KDC from the user's domain and using Kerberos in the back end to authenticate the user. It's failing because the appliance thinks that domain is offline because the appliance must have been unable to connect to a DC from the user's domain when it tried.
In SGOS and later, the appliance does NTLM on the back-end for basic/test authentication (just like BCAAA). It takes the basic credentials and issues an NTLM request. The appliance acts as the NTLM client. In that case, for basic and test authentication, the appliance will be sending an NTLM request to a DC from its domain, and that DC will forward the request to a DC from the user's domain (foreign domain in this case). It won't matter if the appliance thinks the user's domain is offline, because it won't have to talk directly to the DC in the user's domain.

The new implementation in and later that uses NTLM doesn't require the appliance to connect directly to a DC from the user's domain.


This is fixed in SGOS or later.


Make sure that appliance can also talk directly to the DCs in the foreign domain.